feat: Add kube-rs client for Kubernetes API access #7
Description
Summary
Add kube-rs as a dependency and implement shared Kubernetes client for all K8s runtime implementations.
Parent Epic
Part of #1 - Production Kubernetes & Container Support
Motivation
The k8s-job and k8s-service runtimes both need to interact with the Kubernetes API. A shared client implementation ensures:
- Consistent authentication handling
- Connection pooling and efficiency
- Proper error handling
- Unified configuration
Implementation Details
Dependencies
[dependencies]
kube = { version = "0.87", features = ["runtime", "client", "derive"] }
k8s-openapi = { version = "0.20", features = ["v1_28"] }Client Initialization
pub struct KubeClientProvider {
client: Option<Client>,
}
impl KubeClientProvider {
pub async fn get_client(&self) -> Result<Client, KubeError> {
// Try in-cluster config first
// Fall back to kubeconfig
// Cache and reuse client
}
}Authentication Methods
-
In-cluster (default when running in K8s)
- ServiceAccount token from
/var/run/secrets/kubernetes.io/serviceaccount/token - CA cert from
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- ServiceAccount token from
-
Kubeconfig (for local development)
- Default:
~/.kube/config - Override via
KUBECONFIGenv var - Context selection via config
- Default:
Features Required
- In-cluster authentication
- Kubeconfig authentication
- Client singleton/pool management
- Namespace defaulting
- Error handling and retries
- Connection health monitoring
Acceptance Criteria
- Client works in-cluster with ServiceAccount
- Client works locally with kubeconfig
- Multiple runtimes share client instance
- Proper error messages for auth failures
- Configurable timeout and retry settings
Configuration
# gateway.yaml
kubernetes:
context: my-cluster # optional, for kubeconfig
namespace: default # default namespace
timeout_seconds: 30